Built-In Expressions and Objects in Spring Security

By Arvind Rai, December 28, 2013

Spring security provides built-in expressions and objects to check and validate roles. Spring expression is very powerful tool while handling with spring security. SecurityExpressionRoot and WebSecurityExpressionRoot provides different built-in expression and objects in spring security that can be used in XML spring security XML, service layer and controllers of the application. Before using built-in expressions and objects, we need do some configuration in our spring security XML.
To use expression in http namespace, configure use-expressions="true" as below.

&lthttp use-expressions="true"&gt

For service layer and controller, enable pre-post-annotations="enabled" in global-method-security namespace as below.

&ltglobal-method-security pre-post-annotations="enabled"/&gt

Now we will discuss some built-in expressions and objects here in this page.

authentication in Spring Security

It allows access to current authentication object directly and can be used in service layer with @PreFilter, @PostFilter, @PreAuthorize or @PostAuthorize.

filterObject in Spring Security

filterObject is built-in object and used with @PreFilter and @PostFilter in spring security. filterObject is normally a collection or arrays. On the basis of role, values can filterd. To read more about @PreFilter and @PostFilter, find the link

returnObject in Spring Security

returnObject is built-in object and used with @PostAuthorize in spring security. returnObject is used in service layer and after execution when methods return an object, that is considered as returnObject for security validation. To read more about @PreAuthorize or @PostAuthorize, find the link.